HOW TO GIT S EC U RITY 



LOCAL 

considerations 


Credentials 

Be aware whether, where and how your credentials ore stored. Prefer to 
log-in with keys instead of your password. 

Gitignore 

You con exclude specific files by listing the patterns in a file named 
. gitignore in the root of your 
repository: 


$ cat > .gitignore 

# Log File folder. 
**/logs/ 

# Environment variables. 
.env 

# Temporary data. 
data/ 


Sign your commits 

Signed commits allow to verify authenticity of your commits. 


Verified 


$ gpg --full-generate-key 

$ gpg --list-secret-keys --keyid-format LONG your@mail.com 
sec rsa2048/37EAD8CA8C24F789 2020-01-30 [SC] [expires: 2022-01-29] 
385E670ED1F9BF887E6DABCA07EA64C78A746789 
uid [ultimate] Evil Platypus <your@mail.com> 

ssb rsa2048/28134627A631BEAl 2020-01-30 [E] [expires: 2022-01-29] 

$ gpg --armor --export 37EAD8CA8C24F789 
# copy this to GitHub / GitLab 

$ git config —global user.signingkey 37EAD8CA8C24F789 
$ git config --global commit.gpgsign true 

-. .. - 


Use .env files 


Generate Keys and clone using SSH 

Use SSH Keys to connect with 
servers. 



$ ssh-keygen -t ed25519 -C "leo@isec.de" 

Generating public/private ed25519 key pair. 

The key fingerprint is: 

SHA256:onZbNXrSrrScrfzrer7bi7Dbsl)rFvC515f0s21QwG7k Hi ho 


.env files allow you to set environment variables. 
List them in a VARIABLE=VALUE format: 


• • • 


• • • 

$ cat .env 


#!/usr/bin/env python3 

EMAIL_SERVER= 1 some.email.de 1 


import os 

EMAIL_P0RT=25 


from dotenv import load_dotenv 

USER= 1 leo 1 



PASSWORDS somepasswordleowouldchooseforemails 1 


load_dotenv() 



secret_password = os .getenv( "SERVER_PASSWORD" ) 





Software-Security 

considerations 


GIT was meant to be decentralized! 



Hosting 

Keep in mind that those services hove been and could still be vulnerable! 
Maybe self-hosting is on option! 

Please remember that self-hosting has some implications like protecting 
physical access and backing up data etc. being your responsibility. 

Authentication 

Use two-factor authentication whenever possible. GitHub recommends to 
use o 2FA-App (e.g.: Authy, Google Authenticator) instead of SMS. 



Be careful about SHA1 

Git uses SHA1 to generate your commit IDs. Be careful that SHA1 no longer 
is considered secure and collisions con be crofted. 

It's possible to exchange a commit and hove the same ID! 


Linus Torvalds didn't think about the algorithm being replacable. The team 
is working since 2014 on preparing the transition to SHA256. 




GitHub Dorks 

Search GitHub for sensitive data 
like filetype: .env 


USEFUL TOOLS 

The following tools con help to identify potential 
leaks. Consider using them in pre-commit-hooks. 

git-secrets 

In git-secrets you con define your own rules for 
checking your code before committing. 


Truffle Hog GitGot 

TruffleHog searches oil branches and the whole commit his- GitGot is o semi-automated, feedbock-driven tool 

tory for high-entropy data and other possible leaks. to empower users to rapidly search through troves 

of public data on GitHub for sensitive secrets. 

shhgit 

shhgit is a website to monitor public repositories live for pos¬ 
sible breaches via the GitHub Event API. 
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